Back in July the revslider WordPress plugin was discovered to have a vulnerability that allowed arbitrary files to be downloaded. This was specifically for version 4.1.4.

This vulnerability has been actively used to infect WordPress websites.

Normally, being able to download a file to your local computer isn’t a huge news flash. However, when you consider this allows people to download your wp-config.php, which contains all the login information for your database, it can be used in a variety of ways by cybercriminals.

I bring this up because we’ve been seeing a number of websites infected this way.

When the hackers download the wp-config.php file, they strip out the database login credentials and then try to login to the database remotely. If successful, they either add another user with administrative rights or change the password to one of the existing users with administrative rights.

Next, they login and either upload a malicious backdoor or use the theme-editor to inject malicious code in the theme files.

I would like to mention that some hosting providers, Bluehost, Hostmonster, JustHost and many others, don’t allow remote access to phpMyAdmin in the cPanel by default. You have to whitelist an IP address to enable remote access to phpMyAdmin.

That basically kills this specific attack in their environments. However, that’s only this specific attack. Other files could be downloaded that would provide the attackers enough information to be able to infect the website.

Also, some website owners use the same username and password as their cPanel. This could be disastrous. Never use the same password as your cPanel. Never.

As always, keep all your plugins and WordPress updated.

Always!

Thank you for reading. If you have this plugin contact me for a way to test your site (no charge).